Microsoft.SecurityInsights alertRules 2020-01-01
- Latest
- 2023-02-01-preview
- 2022-12-01-preview
- 2022-11-01
- 2022-11-01-preview
- 2022-10-01-preview
- 2022-09-01-preview
- 2022-08-01
- 2022-08-01-preview
- 2022-07-01-preview
- 2022-06-01-preview
- 2022-05-01-preview
- 2022-04-01-preview
- 2022-01-01-preview
- 2021-10-01
- 2021-10-01-preview
- 2021-09-01-preview
- 2021-03-01-preview
- 2020-01-01
- 2019-01-01-preview
Bicep resource definition
The alertRules resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in Bicep.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.SecurityInsights/alertRules@2020-01-01' = {
name: 'string'
kind: 'string'
scope: resourceSymbolicName
etag: 'string'
// For remaining properties, see alertRules objects
}
alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
kind: 'Fusion'
properties: {
alertRuleTemplateName: 'string'
enabled: bool
}
For MicrosoftSecurityIncidentCreation, use:
kind: 'MicrosoftSecurityIncidentCreation'
properties: {
alertRuleTemplateName: 'string'
description: 'string'
displayName: 'string'
displayNamesExcludeFilter: [
'string'
]
displayNamesFilter: [
'string'
]
enabled: bool
productFilter: 'string'
severitiesFilter: [
'string'
]
}
For Scheduled, use:
kind: 'Scheduled'
properties: {
alertRuleTemplateName: 'string'
description: 'string'
displayName: 'string'
enabled: bool
query: 'string'
queryFrequency: 'string'
queryPeriod: 'string'
severity: 'string'
suppressionDuration: 'string'
suppressionEnabled: bool
tactics: [
'string'
]
triggerOperator: 'string'
triggerThreshold: int
}
Property values
alertRules
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| kind | Set the object type | Fusion MicrosoftSecurityIncidentCreation Scheduled (required) |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For Bicep, set this property to the symbolic name of the resource to apply the extension resource. |
| etag | Etag of the azure resource | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'InitialAccess' 'LateralMovement' 'Persistence' 'PrivilegeEscalation' |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
Creates a new Microsoft Sentinel Scheduled Analytics Rule |
This sample shows how to create a new scheduled analytics rule in Microsoft Sentinel |
ARM template resource definition
The alertRules resource type is an extension resource, which means you can apply it to another resource.
Use the scope property on this resource to set the scope for this resource. See Set scope on extension resources in ARM templates.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following JSON to your template.
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2020-01-01",
"name": "string",
"kind": "string",
"scope": "string",
"etag": "string",
// For remaining properties, see alertRules objects
}
alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
"kind": "Fusion",
"properties": {
"alertRuleTemplateName": "string",
"enabled": "bool"
}
For MicrosoftSecurityIncidentCreation, use:
"kind": "MicrosoftSecurityIncidentCreation",
"properties": {
"alertRuleTemplateName": "string",
"description": "string",
"displayName": "string",
"displayNamesExcludeFilter": [ "string" ],
"displayNamesFilter": [ "string" ],
"enabled": "bool",
"productFilter": "string",
"severitiesFilter": [ "string" ]
}
For Scheduled, use:
"kind": "Scheduled",
"properties": {
"alertRuleTemplateName": "string",
"description": "string",
"displayName": "string",
"enabled": "bool",
"query": "string",
"queryFrequency": "string",
"queryPeriod": "string",
"severity": "string",
"suppressionDuration": "string",
"suppressionEnabled": "bool",
"tactics": [ "string" ],
"triggerOperator": "string",
"triggerThreshold": "int"
}
Property values
alertRules
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.SecurityInsights/alertRules' |
| apiVersion | The resource api version | '2020-01-01' |
| name | The resource name | string (required) |
| kind | Set the object type | Fusion MicrosoftSecurityIncidentCreation Scheduled (required) |
| scope | Use when creating an extension resource at a scope that is different than the deployment scope. | Target resource For JSON, set the value to the full name of the resource to apply the extension resource to. |
| etag | Etag of the azure resource | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Fusion' (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'MicrosoftSecurityIncidentCreation' (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | 'Azure Active Directory Identity Protection' 'Azure Advanced Threat Protection' 'Azure Security Center for IoT' 'Azure Security Center' 'Microsoft Cloud App Security' (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: 'High' 'Informational' 'Low' 'Medium' |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | 'Scheduled' (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | 'High' 'Informational' 'Low' 'Medium' |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: 'Collection' 'CommandAndControl' 'CredentialAccess' 'DefenseEvasion' 'Discovery' 'Execution' 'Exfiltration' 'Impact' 'InitialAccess' 'LateralMovement' 'Persistence' 'PrivilegeEscalation' |
| triggerOperator | The operation against the threshold that triggers alert rule. | 'Equal' 'GreaterThan' 'LessThan' 'NotEqual' |
| triggerThreshold | The threshold triggers this alert rule. | int |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Creates a new Microsoft Sentinel Scheduled Analytics Rule |
This sample shows how to create a new scheduled analytics rule in Microsoft Sentinel |
Terraform (AzAPI provider) resource definition
The alertRules resource type is an extension resource, which means you can apply it to another resource.
Use the parent_id property on this resource to set the scope for this resource.
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.SecurityInsights/alertRules resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.SecurityInsights/alertRules@2020-01-01"
name = "string"
parent_id = "string"
// For remaining properties, see alertRules objects
body = jsonencode({
kind = "string"
etag = "string"
})
}
alertRules objects
Set the kind property to specify the type of object.
For Fusion, use:
kind = "Fusion"
properties = {
alertRuleTemplateName = "string"
enabled = bool
}
For MicrosoftSecurityIncidentCreation, use:
kind = "MicrosoftSecurityIncidentCreation"
properties = {
alertRuleTemplateName = "string"
description = "string"
displayName = "string"
displayNamesExcludeFilter = [
"string"
]
displayNamesFilter = [
"string"
]
enabled = bool
productFilter = "string"
severitiesFilter = [
"string"
]
}
For Scheduled, use:
kind = "Scheduled"
properties = {
alertRuleTemplateName = "string"
description = "string"
displayName = "string"
enabled = bool
query = "string"
queryFrequency = "string"
queryPeriod = "string"
severity = "string"
suppressionDuration = "string"
suppressionEnabled = bool
tactics = [
"string"
]
triggerOperator = "string"
triggerThreshold = int
}
Property values
alertRules
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.SecurityInsights/alertRules@2020-01-01" |
| name | The resource name | string (required) |
| parent_id | The ID of the resource to apply this extension resource to. | string (required) |
| kind | Set the object type | Fusion MicrosoftSecurityIncidentCreation Scheduled (required) |
| etag | Etag of the azure resource | string |
FusionAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | "Fusion" (required) |
| properties | Fusion alert rule properties | FusionAlertRuleProperties |
FusionAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
MicrosoftSecurityIncidentCreationAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | "MicrosoftSecurityIncidentCreation" (required) |
| properties | MicrosoftSecurityIncidentCreation rule properties | MicrosoftSecurityIncidentCreationAlertRuleProperties |
MicrosoftSecurityIncidentCreationAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| displayNamesExcludeFilter | the alerts' displayNames on which the cases will not be generated | string[] |
| displayNamesFilter | the alerts' displayNames on which the cases will be generated | string[] |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| productFilter | The alerts' productName on which the cases will be generated | "Azure Active Directory Identity Protection" "Azure Advanced Threat Protection" "Azure Security Center for IoT" "Azure Security Center" "Microsoft Cloud App Security" (required) |
| severitiesFilter | the alerts' severities on which the cases will be generated | String array containing any of: "High" "Informational" "Low" "Medium" |
ScheduledAlertRule
| Name | Description | Value |
|---|---|---|
| kind | The alert rule kind | "Scheduled" (required) |
| properties | Scheduled alert rule properties | ScheduledAlertRuleProperties |
ScheduledAlertRuleProperties
| Name | Description | Value |
|---|---|---|
| alertRuleTemplateName | The Name of the alert rule template used to create this rule. | string |
| description | The description of the alert rule. | string |
| displayName | The display name for alerts created by this alert rule. | string (required) |
| enabled | Determines whether this alert rule is enabled or disabled. | bool (required) |
| query | The query that creates alerts for this rule. | string |
| queryFrequency | The frequency (in ISO 8601 duration format) for this alert rule to run. | string |
| queryPeriod | The period (in ISO 8601 duration format) that this alert rule looks at. | string |
| severity | The severity for alerts created by this alert rule. | "High" "Informational" "Low" "Medium" |
| suppressionDuration | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | string (required) |
| suppressionEnabled | Determines whether the suppression for this alert rule is enabled or disabled. | bool (required) |
| tactics | The tactics of the alert rule | String array containing any of: "Collection" "CommandAndControl" "CredentialAccess" "DefenseEvasion" "Discovery" "Execution" "Exfiltration" "Impact" "InitialAccess" "LateralMovement" "Persistence" "PrivilegeEscalation" |
| triggerOperator | The operation against the threshold that triggers alert rule. | "Equal" "GreaterThan" "LessThan" "NotEqual" |
| triggerThreshold | The threshold triggers this alert rule. | int |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for